This article describes a method for assessing the overall risk of re-identification for a health data set and how that risk information can be used to decide how much to de-identify the data before it's disclosed. Such an approach ensures that the amount of distortion to the data is proportionate to the risk involved in disclosing a particular data set to a particular data recipient.